Merge branch 'fix-sanitize-svg' into 'master'

Update SVG sanitizer to conform to SVG 1.1 Original SVG sanitizer would strip out necessary elements and attributes. Use a custom Loofah scrubber since sanitize 2.x transformers are inadequate to handle case-sensitive SVG attributes since they parse documents as HTML instead of XML, which causes all SVG attribute names (e.g. `viewBox`) to be downcased. * SVG element list: https://www.w3.org/TR/SVG/eltindex.html * SVG attribute list: https://www.w3.org/TR/SVG/attindex.html Closes #14555 See merge request !3401
author: Robert Speicher <robert@gitlab.com> 2016-05-07 22:08:46 +0300
committer: Robert Speicher <robert@gitlab.com> 2016-05-07 22:08:46 +0300
commit: 4a844b73ff2daf6b08dc36a8c7117df753b8bdd7 (patch)
tree: 29a415bf256895bd84d4a9bb26dc3702c5aea9f5 /app
parent: f3578baa83ca8d576f4fe1bef50ebae61615768e (diff)
parent: 21d89d0286e385d6d0a4debdbf7c801939c3e279 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/app/helpers/blob_helper.rb b/app/helpers/blob_helper.rb
index 474c6f27374..93241b3afb7 100644
--- a/app/helpers/blob_helper.rb
+++ b/app/helpers/blob_helper.rb
@@ -131,7 +131,7 @@ module BlobHelper
   # elements and attributes. Note that this whitelist is by no means complete
   # and may omit some elements.
   def sanitize_svg(blob)
-    blob.data = Loofah.scrub_fragment(blob.data, :strip).to_xml
+    blob.data = Gitlab::Sanitizers::SVG.clean(blob.data)
     blob
   end
author	Robert Speicher <robert@gitlab.com>	2016-05-07 22:08:46 +0300
committer	Robert Speicher <robert@gitlab.com>	2016-05-07 22:08:46 +0300
commit	4a844b73ff2daf6b08dc36a8c7117df753b8bdd7 (patch)
tree	29a415bf256895bd84d4a9bb26dc3702c5aea9f5 /app
parent	f3578baa83ca8d576f4fe1bef50ebae61615768e (diff)
parent	21d89d0286e385d6d0a4debdbf7c801939c3e279 (diff)